Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

ServiceNow Misconfiguration Exposes Sensitive Data

Executive Summary

ServiceNow, a pivotal cloud-based platform for automating various IT and business management processes, has recently disclosed on its support site a configuration issue that could lead to “unintended access” to sensitive data.

This problem, rooted in misconfigurations within the Access Control Lists (ACL), could potentially allow unauthorised individuals to access specific tables containing sensitive data. While ServiceNow has initiated remediation measures, it’s crucial for organisations using ServiceNow to verify that the implemented fixes provide adequate protection against such exposures for their organisation.

About the Issue

The core of the issue resides in the misconfiguration of Access Control Lists (ACL) within ServiceNow. When improperly configured, unauthenticated threat actors could exploit the SimpleListWidget to access specific tables holding sensitive data. This misconfiguration has been a hidden issue since ACLs were introduced in 2015.

In public instances of ServiceNow portals, if an Access Control List (ACL) is configured without a role, condition, or script, a threat actor could misuse the SimpleListWidget, which is a ServiceNow widget that allows the ad-hoc query of data from the system. By default, it is set to public without any defined roles.

According to a report in 2022, almost 70% of ServiceNow instances tested were found to be vulnerable to a similar misconfiguration, which was caused by a combination of misconfigured ACLs and over-provisioning of permissions to guest users.

The exposure could potentially lead to significant data leakage involving sensitive corporate data, including IT tickets, employee details, internal knowledge bases, and more, if left unaddressed.


ServiceNow has offered remediation steps to address this misconfiguration issue. The steps include:

  • Reviewing and properly configuring Access Control Lists (ACLs) to ensure alignment with their intended purpose.
  • Setting the “Public” flag to false where it’s not aligned with use cases for public widgets.
  • Considering the implementation of stricter access control measures, such as IP Address Access Control or Adaptive Authentication.
  • Installing the ServiceNow Explicit Roles Plugin to prevent external users from accessing internal data.
  • Employing a SaaS Security Posture Management (SSPM) solution like Adaptive Shield for identifying risky misconfigurations and ensuring compliance.

Please refer to ServiceNow’s KB article for more information about the problem and its solutions.

Even after implementing ServiceNow’s fix, it’s wise for organisations to reassess their exposure and confirm that the remediation steps have been effectively carried out to prevent any potential data leakage.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.